Sample Captures

So you're at home tonight, having just installed Wireshark. You want to take the program for a test drive. But your home LAN doesn't have any interesting or exotic packets on it? Here's some goodies to try. Please note that if for some reason your version of Wireshark doesn't have zlib support, you'll have to gunzip any file with a .gz extension.

If you don't see what you want here, that doesn't mean you're out of luck; look at some of the other sources listed below, such as http://www.pcapr.net/.

How to add a new Capture File

If you want to include a new example capture file, you should attach it to this page (click 'attachments' in header above). In the corresponding text, you might explain what this file is doing and what protocols, mechanisms or events it explains. Links from here to the related protocol pages are also welcome.

Please don't just attach your capture file to the page without putting an attachment link in the page, in the format attachment:filename.ext; if you don't put an attachment link in the page, it's not obvious that the capture file is available.

It's also a very good idea to put links on the related protocol pages pointing to your file. Referring to an attachment on this page from another Wiki page requires a link on that other Wiki page in the format attachment:SampleCaptures/filename.ext. For an example of this, see the NetworkTimeProtocol page.

BT_USB_LinCooked_Eth_80211_RT.ntar.gz (pcap-ng) A selection of Bluetooth, Linux mmapped USB, Linux Cooked, Ethernet, IEEE 802.11, and IEEE 802.11 RadioTap packets in a pcap-ng file, to showcase the power of the file format, and Wireshark's support for it. Currently, Wireshark doesn't support files with multiple Section Header Blocks, which this file has, so it cannot read it. In addition, the first packet in the file, a Bluetooth packet, is corrupt - it claims to be a packet with a Bluetooth pseudo-header, but it contains only 3 bytes of data, which is too small for a Bluetooth pseudo-header.

bootparams.cap.gz (libpcap) A couple of rpc.bootparamsd 'getfile' and 'whoami' requests.

cmp-in-http-with-errors-in-cmp-protocol.pcap.gz (libpcap) Certificate Management Protocol (CMP) version 2 encapsulated in HTTP. Full "Initialization Request" and rejected "Key Update Request". There are some errors in the CMP packages.

cmp_in_http_with_pkixcmp-poll_content_type.pcap.gz (libpcap) Certificate Management Protocol (CMP) version 2 encapsulated in HTTP. The CMP messages are of the deprecated but used content-type "pkixcmp-poll", so they are using the TCP transport style. In two of the four CMP messages, the content type is not explicitly set, thus they cannot be dissected correctly.

imap.cap.gz (libpcap) A short IMAP session using Mutt against an MSX server.

RawPacketIPv6Tunnel-UK6x.cap (libpcap) - Some IPv6 packets captured from the 'sit1' interface on Linux. The IPv6 packets are carried over the UK's UK6x network, but what makes this special, is the fact that it has a Link-Layer type of "Raw packet data" - which is something that you don't see everyday.

isl-2-dot1q.cap (libpcap) A trace including both ISL and 802.1q-tagged Ethernet frames. Frames 1 through 381 represent traffic encapsulated using Cisco's ISL, frames 382-745 show traffic sent by the same switch after it had been reconfigured to support 802.1Q trunking.

PROTOS Test Suite Traffic

The files below are captures of traffic generated by the PROTOS test suite developed at the University of Oulu. They contain malformed traffic used to test the robustness of protocol implementations; they also test the robustness of protocol analyzers such as Wireshark.

NFS Protocol Family

nfs_bad_stalls.cap (libpcap) An NFS capture containing long stalls (about 38ms) in the middle of the responses to many read requests. This is useful for seeing the staircase effect in TCP Time Sequence Analysis.

SNMP

snmp_usm.pcap A series of authenticated and some encrypted SNMPv3 PDUS

the authPassword for all users is pippoxxx and the privPassword is PIPPOxxx.

pippo uses MD5 and DES

pippo2 uses SHA1 and DES

pippo3 uses SHA1 and AES

pippo4 uses MD5 and AES

Network Time Protocol

File:NTP_sync.pcap (4KB, showing the NetworkTimeProtocol) Contributor: Gerald CombsDescription: After reading about the round robin DNS records set up by the folks at pool.ntp.org, I decided to use their service to sync my laptop's clock. The attached file contains the result of running

net time /setsntp:us.pool.ntp.org
net stop w32time
net start w32time

at the command prompt. Something to note is that each pool.ntp.org DNS record contains multiple addresses. The Windows time client appears to query all of them.

Sigtran Protocol Family

isup.cap A single call's signalling sequence using ISUP/MTP3/M3UA/SCTP/IP. NOTE: The M3UA version preference must be set to "Draft 6" to successfully view this file (Edit->Preferences->Protocols->M3UA->M3UA Version->Internet Draft version 6).

camel.pcap A single call using CAMEL/TCAP/SCCP/MTP3/M2UA/SCTP/IP. This "capture" has been generated using text2pcap tool, from MTP3 raw data trace. The capture contains the following Camel operations: InitialDP, RequestReportBCSMEvent, ApplyCharging, Continue, EventReportBCSM, ApplyChargingReport, ReleaseCall.

camel2.pcap Same as camel.pcap capture, except that the it is using another Camel phase. The other difference is that the call is rejected. The capture contains the following Camel operations: InitialDP, RequestReportBCSMEvent, Connect, ReleaseCall.

gsm_map_with_ussd_string.pcap This "capture" has been generated using text2pcap tool, from MTP3 raw data trace. It contains a GSM MAP processUnstructuredSS-Request MAP operation with a USSD String (GSM 7 bit encoded).

iscsi-scsi-10TB-data-device.zip contains a complete log of iSCSI traffic between MS iSCSI Initiator and Linux iSCSI Enterprise Target with a 10TB block device exported. See the use of READ_CAPACITY_16, READ_16, and WRITE_16.

iscsi-tapel.gz contains some operation log of iSCSI traffic between Linux open-iscsi initiator and Linux iSCSI Enterprise Target. The target is a EXABYTE EXB480 Tape library. Various mtx operations are executed.

FIP is the FCoE Initialization Protocol. fip-adv.cap.gz shows advertisement, discovery and FLOGI. fip-ka.cap.gz shows keep-alives and a clear-virtual-link. Note that the host and gateway are not necessarily using FIP correctly.

scsi-osd-example-001.pcap is a trace of the IBM osd_initiator_3_1_1 (an OSD tester application) exercising IBM's ibm-osd-sim (an emulation of an OSD target device). The transport involved is iSCSI, and makes use of the relatively unusual new SCSI feature of bidirectional data transfer. The trace captures the initial iSCSI Logins, through INQUIRY and REPORT LUNS, followed by a number of commands from the SCSI-OSD command set such as FORMAT OSD, LIST, CREATE PARTITION, CREATE, WRITE, READ, REMOVE, REMOVE PARTITION, and SET ROOT KEY.

Peer-to-peer protocols

MANOLITO Protocol

PioletSearch.Manolito.cap (Microsoft Network Monitor) Here's a Piolet/Blubster (MANOLITO) capture for your enjoyment: It is a few packets I captured whilst looking for some Dr. Alban songs using Piolet.

Manolito2.cap (Microsoft Network Monitor) Here's some more Manolito packets (this time, it's just general sign-in).

Kaspersky Update Protocol

Kerberos and keytab file for decryption

krb-816.zip An example of Kerberos traffic when 2 users logon domain from a Windows XP. keytab file is included. With Kerberos decryption function in wireshark 0.10.12, some encrypted data can be decrypted.

The *-ssl.pcapng capture files above can be found at https://git.lekensteyn.nl/peter/wireshark-notes/tree/tls/ with the pre-master key secrets being available in the capture file comments. See the commit log for further details. The keys have been extracted from the OpenSSL library using a LD_PRELOAD interposing library, libsslkeylog.so (sslkeylog.c).

Lontalk (EIA-709.1) encapsulated in EIA-852

DVB-CI (Common Interface)

A DVB-CI module is plugged into a receiver and initialized. The receiver asks the module to descramble a Pay-TV service. After a moment, there’s a service change and another request to descramble the newly selected service. After some seconds, the module is removed from the receiver.

File:Read-FeliCa-Lite-NDEF-Tags.cap A trace file from a USB-connected NFC transceiver based upon the NXP PN532 chipset, containing packets from a successful attempt at enumerating, and reading the contents of two Sony FeliCa Lite tags.

hiqnet_visiremote-soundcraft_session.pcapng.gz hiqnet: A session between Soundcraft's ViSiRemote iPad application and a Soundcraft Si Compact 16 digital mixing console playing around with different values. The VU-meters stream is not part of this capture because it uses another protocol (UDP on port 3333).

Discussion

Is sample the right name, instead of example? I always think about a sampling rate. - Ulf Lamping

In this context, "sample" and "example" are interchangeable. I'm not sure which is more formally correct. - Gerald Combs

Think of "sample" as in "take a free sample of our magazine". Sampling really means that you're taking samples at specific points in time, so it is OK. - Olivier Biot

Hmmm, still unsure. Following your logic, Sample and Capture would have almost the same meaning. But I'm usually not interested that the capture is sampled from a specific network at a specific point in time, I'm looking for examples, how a specific network traffic does look like. I would think that sample in the way it's used here, is just an abbreviation for example, or do I miss something here. - Ulf Lamping

I see. Maybe then "example capture" is more appropriate than "sample capture" or "capture(d) sample". - Olivier Biot

What about "example sample"... Everyone would get it, and, most of it, it rhymes! - Luis Ontanon

What are the rules regarding attaching sample captures? I mean those that aren't yours. If it was seen "in the wild" (e.g., attached to an email on the mailing list or a bug), is that public enough for someone to attach it here? - Jeff Morriss

I've been thinking about that too -- if a sample example is sent to the list it's publicly avalable on the net intended or not and could be added to the examples? -- at least if its not obviusly a (bad) misstake -- Anders

An Iu-CS capture would be welcomed, containing both RANAP and Iu-UP traces of for example an AMR voice call.

I added Iu-CS capture just now!!! Please look under UMTS section. -Samba [email protected] When you open this in it may show IuUP packets, as UDP stream. In this case please click on relevant UDP packet and then select from menuAnalyze--->Decode As RTP(both ports) under Transport tab. In case of any help required, please do not hesitate to write to me.

Anyone have a capture of RTP conforming to RFC 2198 (Redundant Audio) or RFC 2733 (Generic FEC) encoding? Associated SIP/SDP signaling would be a bonus.

Does anyone have any capture files containing "raw" ATM packets (with AAL0/AAL5 would be handy)?. Thank you --

I am developing a tool in C++ that has as input a message in the hexadecimal format, encapsulated in SS7 protocols, of the type: ISUP, INAP and CAP. As exit a file .cap or .pcap to be read by the WireShark. To conclude this project it would like to have an example file (extension cap pcap) encapsulated in protocols INAP and CAP, because in the example files I only found of ISUP protocol.

Can anyone add a UCP capture? especially 5x series messages but others would be helful too... Thanks

Beware when cutting/pasting, some spaces are inserted after the backslash and bash shells don't like that.

--Phil

ok, I tried this one on my suse 9.3 box but htget was not found. A quick google showed that this tool seems to be Debian specific. It looks natural for us "newbie distribution users" to be more and more jealous of Debian... Anyway I found the source code at http://ftp.cvut.cz/debian/pool/main/h/htget/htget_0.93-1.1woody1.tar.gz and expanding the file, followed by 'make', 'make install' (as root) and copying htgetrc to ~/.htgetrc did the trick. Thanks so much for this, ahem, ugly skript that has the undeniable advantage of working great!

--Eberhard

The reason the wget doesn't work is the <meta name="robots" content="index,nofollow"> in the html of the wiki pages. Is there a reason we have that?

--Rich van der Hoff

Try using Download Accelerator Plus (DAP). When integrated with Firefox there is an option called "Save all .." in the right-click context menu

-- Razor

Hi

I used htget, but got all these Sample.* Prefixes, which may you want to remove:

The "Forbidden" response to wget is caused by the "do=view" part of the link. These files that cause this error can be retrieved okay if substituting this part with "do=get". Suggest the following command (that also has a benefit of auto-renaming the files and doesn't use that hideous htget utility):

The above command will result in file names such as 'SampleCaptures?...&target=foo.pcap'. To get "foo.pcap" instead, you could use the following commands to create symlinks (the advantage is that you can run the wget command again which will skip existing files):